Privacy Policy

1. What we collect

• Account: email, name, hashed password, the workspace ("tenant") you create.
• Stores you connect: Shopify domain, public store metadata, optionally a Google Merchant Center OAuth refresh token (encrypted at rest with AES-GCM).
• Audit results: product feed snapshots, compliance findings, AI-suggested fixes, score history.
• Billing: Gumroad sends us a sale ID, license key, product permalink, buyer email, and amount on every purchase/refund webhook. We do not store credit-card numbers — those live with Gumroad.
• Operational logs: IP address, user-agent, and request paths for the last 30 days, used for rate-limiting and abuse detection.

2. How we use it

• Run the audits and monitoring you asked for.
• Send transactional email: verify-email, password reset, audit alerts, billing receipts.
• Apply plan limits and bill you correctly.
• Investigate abuse or security incidents.

We do not use your data for advertising, profiling beyond plan-limit metering, or sale to third parties.

3. Third parties we share with

• Gumroad — processes all payments. Their privacy policy governs the checkout overlay.
• Google Merchant Center / Google OAuth — when you connect a store, we exchange read-only API calls to fetch your account warnings and product diagnostics.
• Shopify — we hit your store's public endpoints (product feed, robots.txt, sitemap) the same way a search-engine crawler would.
• AI provider — to generate fix suggestions for an issue we send the product title, description, and the specific violation. We do not send your email, account ID, or any data that would identify you. The provider does not retain prompts for training.
• Email delivery — outbound mail is sent directly from our own server (signed with DKIM); no third-party relay is in the path today.

4. How long we keep it

• Account + audit history: until you delete your workspace, or 12 months after the last subscription ends — whichever comes first.
• Webhook events + billing records: 7 years (tax / accounting requirement).
• Operational logs: 30 days.
• Encrypted OAuth tokens: deleted the moment you disconnect a store.

5. Your rights

Under GDPR (EU/UK) and CCPA (California), you can ask us to:

• Export a copy of your data in machine-readable form.
• Correct anything that's wrong.
• Delete your workspace and all associated data (keeping only what tax law requires).
• Object to or restrict any processing you don't agree with.

Email privacy@shopifygmc.com with the request. We respond within 30 days. If we can't satisfy you, you can file a complaint with your local data-protection authority.

6. Security

• HTTPS-only across the whole product (HSTS preload).
• Passwords stored with Argon2id; OAuth tokens encrypted at rest.
• Sessions are signed and HTTPS-only.
• Postgres is on a private interface; no direct external access.

If you discover a vulnerability, please email security@shopifygmc.com before disclosing publicly.

7. Cookies

We set one essential cookie — your session token. We don't run analytics or ad cookies. If we ever add them, this page will be updated and we'll ask first.

8. Children

shopifygmc is a B2B SaaS for Shopify merchants. It isn't intended for anyone under 16. We don't knowingly collect data from children; if you believe we have, email us and we'll delete it.

9. Changes to this policy

Material changes are emailed to all active users 14 days before they take effect. Minor wording fixes are listed at the top of this page with a new "Last updated" date.

10. Contact

shopifygmc, operated by SmartShopAutomation. Reach us at privacy@shopifygmc.com.